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[57] ABSTRACT 

Apparatus and method for testing the integrity of computer 
alarm systems which can be part of a computing network, 
includes testing the computer alarm system by simulating an 
attack on the computing network including the alarm system 
itself. Thereafter, information, pertaining to the status of the 
computing network alarm system attendant upon the simu- 
lated attack, is registered. 

20 Claims, 3 Drawing Sheets 
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METHOD AND APPARATUS FOR TESTING 
THE INTEGRITY OF COMPUTER 
SECURITY ALARM SYSTEMS 

FIELD OF THE INVENTION 

This invention relates to a method and apparatus for 
testing the integrity of computer security alarm systems. 

BACKGROUND OF THE INVENTION 

Known methods and forms pertinent for safeguarding the 
integrity of computer systems include, inter alia, password 
verification procedures, alarms enabled by several consecu- 
tive unauthorized log-ons, safeguards employable against 
multiple legitimate users at the same time, and safeguards 
employable against invasion of computer viruses, enabled 
by searching for specific code and data patterns of specific 
known viruses. 

SUMMARY OF THE INVENTION 

Our work centers on a critique of the capabilities and 
viability of the foregoing representative methods and forms 
for safeguarding the integrity of computer systems, to an end 
of disclosing novel methodology and apparatus which can 
advantageously improve or complement their performance. 

In this regard, we have found that all of these represen- 
tative methods and forms rely on an implicit antecedent 
assumption. That is, the security methods and forms 
themselves, necessarily manifest a requisite effectiveness 
and reliability. However, this assumption, without more, 
may be naive, and failure to realize it may render nugatory 
(e.g., worthless, invalid, inoperative, etc.) an entire security 
program. 

Based on the present inventors* recognition of the above 
problem, a novel method and apparatus are provided for 
testing the integrity of computer security alarm systems, 
thereby protecting a computer system (network) from unau- 
thorized penetration. 

In a first aspect, the novel method is suitable for testing 
the integrity of computer alarm systems which can be part of 
a computing network, and includes testing the computer 
alarm system by simulating an attack on the computing 
network including the alarm system itself, and registering 
information retaining to the status of the computing net- 
work alarm system attendant upon the simulated attack. 

In a second aspect, the novel apparatus is suitable for 
testing the integrity of computer alarm systems which can be 
part of a computing network, and includes a tester for testing 
the computer alarm system by simulating an attack on the 
computing network including the alarm system itself, and a 
register for registering information pertaining to the status of 
the computing network alarm system attendant upon the 
simulated attack. 

Preferably, the alarm testing system is embedded as a 
software package in a single computer, or in all of the nodes, 
and preferably used to test all computer nodes. The security 
alarm system is therefore preferably on line, and operates in 
real time. 

The testing of the security alarm system comprises simu- 
lating an attack, as discussed above, and observing if the 
security system responds with recognition of the attack and 
generation of an appropriate alarm. 

Thus, with the invention the integrity of a computer 
system can be tested reliably to improve or complement the 
system's performance. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated in the accompanying 
drawings, in which: 

FIG. 1 shows a computing network; 

FIG. 2 shows a typical processor system comprising 
either a single computer or a network of connected 
computers, the processor system containing programs and 
data files which are embedded in an operating system A; 
10 FIG. 3 shows the FIG. 2 processor system including an 
embedded alarm system B for determining if the security 
and integrity of the processor system is violated or not; 

FIG. 4 shows an alarm testing system C which is also 
embedded in a computer system; 
15 FIG. 5 shows the FIG. 1 computing network with an 
additional processing node that can serve as a security alarm 
tester for implementing the alarm testing simulated attacks; 
and 

FIG. 6 presents a flowchart pertinent to the method of the 
20 present invention. 

DETAILED DESCRIPTION OF THE 
INVENTION 

The detailed description of the invention proceeds by first 
25 elaborating preferred computer network structures suitable 
for realizing the method and apparatus of the present 
invention, as summarized above. Then, secondly, functional 
aspects of the method are discussed, with particular empha- 
sis on five representative classes or types of invasion and 
30 attempted invasion of computer security. Thirdly, function 
details of a security alarm tester are set forth, followed, 
fourthly, by attack simulation details, examples, and flow- 
chart realization of the present method. 
Structure 

35 Preferred realization of the present method and apparatus 
may be effected by a conventional processor system com- 
prising a single computer or a network of connected com- 
puters. For example, FIG. 1 shows a network 10, where each 
node (A, B, C, D) in the network represents a computer. The 

40 detailed description that follows references a single proces- 
sor for the safes of convenience. 

FIG. 2 shows a typical processor 12 containing programs 
and data files typically associated with an operating system 
(A). 

45 FIG. 3 shows a processor 14, substantially the same as the 
FIG. 2 processor 12, but further comprising an embedded 
alarm system B. The function of the alarm system is to 
determine if the security and integrity of the processor 14 is 
violated or not. Functional details of the alarm system B are 

50 set forth, below. 

FIG. 4 shows a processor 16, substantially the same as the 
FIG. 3 processor 14, but further comprising a security alarm 
testing system C (a salient component of the present 
invention) and a register 15 for registering information 

55 pertaining to the status of the alarm system C attendant upon 
a simulated attack. The security alarm testing system pref- 
erably is connected to the operating system, and preferably 
is capable of providing input to the operating system and 
also operating on programs and data files via the operating 

60 system, all by way of known conventional techniques. 

FIG. 5 shows a network 18 similar to that shown in FIG. 
1, but with an additional processing node that can serve as 
a security alarm tester for implementing the alarm testing 
simulated attacks. 

65 Function 

The computer alarm system of the type referenced in FIG. 
3, preferably checks for various types of invasion of and 
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attempted invasion of computer security. Five illustrative 
classes of invasion are considered below: 

(i) a user attempting to log on with a false password. If the 
number of attempted log-ons reaches a specified 
number, an error message may be recorded, and an 5 
alarm may be given to the security manager. 

(ii) a user with legal ID (identification) and password 
attempts to log on, but that user ID is already in use; 
i.e., no more than one legal ID can be operational at any 
one time in the computer. 10 

(Hi) a legitimate user on the system attempts to go beyond 
his authorized scope (e.g., accessing unauthorized 
files), or run programs which he is not authorized to 
run. l5 

(iv) modifications of programs or data files without autho- 
rization. 

(v) unauthorized transmission of programs or data files to 
another user or to another node outside the computer 
network. 20 

Function Details of the Security Alarm Tester 

The security alarm tester preferably will own a set of user 
IDs and passwords. The security alarm system may be tested 
by means of simulated attack on the computer system. The 
five classes of attacks are preferably simulated at random 25 
times, preferably provided each day preferably by a random 
number generator. Both the times of attack and the types of 
attack preferably are generated randomly. 

If the alarm system is functioning, the security manager 
must receive alarms at these times, and records of this attack 30 
must be present. For example, at a time specified by the 
random number generator, the tester will simulate any one of 
the available attacks (e.g., try to logon twice with the same 
ID). An alarm will be sent to the security manager, and a new 
record will be added to the security log file in register 15. 35 
Attacks of domain violations, unauthorized modifications, 
illegal transmissions etc, will be simulated randomly. The 
use of random time — different ones for each day, inhibits a 
real attack from taking advantage of knowledge of prior 
alarms. 40 
Attack Simulation Details and Examples 

As mentioned above, the alarm testing system preferably 
is embedded as a software package in a single computer, or 
in all of the nodes, and preferably used to test all computer 
nodes. The security alarm system is therefore preferably on 45 
line, and operates in real time. 

The testing of the security alarm system comprises simu- 
lating an attack, as discussed above, and observing if the 
security system responds with recognition of the attack and 
generation of an appropriate alarm. 50 

Specifically, the following steps are preferably executed: 

(i) a set of pairs (e.g., a set including at least one group of 
paired first and second elements), one element repre- 
senting the type of attack that is to take place, and the 
other representing a "random*' time at which the attack 55 
is to take place. This set of attack-pairs can be dynami- 
cally generated, with a record of it supplied to the 
security manager, or the entire set of pairs can be 
supplied in advance by the operator or system. 

(ii) at the appropriate time Ti supplied by the current 60 
attack-pair, the specified attack Ei supplied by the 
current attack-pair, is executed. For example, a set of 
false passwords (e.g., incorrect passwords) for a legiti- 
mate user (namely, an ID owned by the security tester), 
which exceeds the permissible limit is used to try to 65 
logon to the system, or a specific code and data pattern 
for a known virus is injected into the system. 
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(iii) the response of the security alarm system (if any) is 
noted. Does the security system register an attack of the 
given type? If so, are the appropriate messages sent to 
the appropriate personnel? and are proper records of the 
attack maintained? 

If the attack was detected by the security system, note that 
fact and go to the next attack to be executed at the next 
specified time. 

If the attack succeeds and is not detected by the computer 
system security mechanism, then the security manager 
is notified, alarms are set off, and the appropriate 
records are generated. 

(iv) at the time specified by the time element in the next 
attack-pair execute step (ii). 

The above steps are preferably to be executed on line in 
real time. If desired, the attacks can be simulated at off-shift 
real time. 

FIG. 6 presents a flow chart 20 of the above four steps. 
What is claimed is: 

1. A method for testing the integrity of a computer alarm 
system which is one of associated with a computer and part 
of a computing network, the method comprising: 

testing the computer alarm system by dynamically and 

actively simulating an attack on the computing network 

including the alarm system itself; and 
registering information pertaining to the status of the 

computing network alarm system attendant upon the 

simulated attack during said testing. 

2. The method according to claim 1, wherein a knowledge 
of vulnerabilities of one of said computer and said comput- 
ing network are unknown prior to testing said computer 
alarm system. 

3. The method according to claim 1, wherein said attacks 
are simulated on said one of said computer and said com- 
puting network to determine a performance of said computer 
alarm system. 

4. The method according to claim 1, wherein said simu- 
lated attack comprises: 

determining whether a user is attempting to log-on with a 

false password; and 
detennining a number of times said user attempts said 

log-on with said false password. 

5. The method according to claim 4, further comprising: 
when a number of attempted log-ons reaches a predeter- 
mined number, recording an error message in said 
register, and providing an alarm. 

6. The method according to claim 1, wherein said simu- 
lated attack comprises at least one of: 

determining whether a user with a legal identification and 
password attempts to log on, and whether said identi- 
fication and said password are already in use; and 

detennining whether a legitimate user on the system 
attempts to one of access unauthorized files, and run 
programs which the user is not authorized to run, 

wherein when any one of said identification and said 
password are already in use, and when the user attempts 
to one of access unauthorized files, and run programs 
which the user is not authorized to run, an error 
message is recorded in said register, and an alarm is 
provided. 

7. The method according to claim 1, wherein said simu- 
lated attack comprises: 

determining whether a modification has occurred of one 
of a program and a data files without authorization. 
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8. The method according to claim 7, further comprising: 
when it is determined that the modification has occurred, 

recording an error message in said register, and pro- 
viding an alarm. 

9. The method according to claim 1, wherein said simu- 
lated attack comprises: 

determining whether unauthorized transmission of pro- 
grams or data files to another user or to another node 
outside the computer network, has occurred. 

10. The method according to claim 9, further comprising: 
when the unauthorized transmission has occurred, record- 
ing an error message in said register, and providing an 
alarm. 

11. The method according to claim 1, wherein said testing 
uses a set of user IDs and passwords, and 

wherein said attacks are simulated at random times, such 
that both a time of attack and a type of attack are 
generated randomly. 

12. Apparatus for testing the integrity of a computer alarm 
system which is one of associated with a computer and part 
of a computing network, the apparatus comprising: 

a tester for testing the computer alarm system by dynami- 
cally and actively simulating an attack on the comput- 
ing network including the alarm system itself; and 

a register for registering information pertinent to the 
status of the computing network alarm system attendant 
upon the simulated attack by said tester. 

13. The apparatus according to claim 12, wherein said 
tester has a set of user IDs and passwords, and 
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wherein said attacks are simulated at random times, such 
that both a time of attack and a type of attack are 
generated randomly. 

14. The apparatus according to claim 12, wherein said 
5 tester is embedded as a software package in one of said 

computer system and in all nodes of the computing network. 

15. The apparatus according to claim 12, wherein said 
tester and said security alarm system are on line, and operate 
in real time. 

16. The apparatus according to claim 12, said tester 
10 includes a set of pairs of elements comprising at least one 

group of paired first and second elements, 

said first element representing a type of attack to occur, 
and said second element representing a random time at 
which the attack is to occur. 
15 17. The apparatus according to claim 16, wherein each 
group of paired first and second elements is dynamically 
generated, with a record of it supplied to the register. 

18. Hie apparatus according to claim 16, wherein an 
entire set of pairs is supplied in advance. 
20 19. The apparatus according to claim 12, wherein a 
knowledge of vulnerabilities of one of said computer and 
said computing network are unknown by said tester prior to 
testing dynamically and actively said computer alarm sys- 
tem. 

25 20. The apparatus according to claim 12, wherein said 
attacks by said tester are simulated on said one of said 
computer and said computing network to determine a per- 
formance of the alarm system. 

***** 
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